Re: PF to Preventing SMTP Brute Force Attacks
Better use something like fail2ban. -- Best regards, Adrian Minta ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: PF to Preventing SMTP Brute Force Attacks
On Jun 15, 2012, at 12:55 PM, Shiv. Nath wrote: # START table bruteforce persist block in log quick from bruteforce pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) # END AND CRON: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 /dev/null 21 What is the function expire 604800 are they entries in the table? should it be -t bruteforce or -t ssh-bruteforce It refers to entries in the table specified by the -t option and instructs pf to expire (remove from the table) all entries older than the specified time (in seconds). Basically, the value 604800 will expire entries older than 1 week. For the above pf rules, the cron entry should be -t bruteforce (although in the pf rules you should be using bruteforce). Cheers, Paul. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org Dear Metthew Paul, Thank you very much for your time, efforts and energy to help me configuring PF. Metthew also advised to create white, so that i do not lock myself. i have have to yet look at it. i will get in touch if i require more help. Thanks Regards ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
PF to Preventing SMTP Brute Force Attacks
Hi FreeBSD Gurus, i want to use PF to Preventing SMTP Brute Force Attacks. i need some help to understand correct syntax. URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopts i expect the following behavior from the PF rule below: Limit the absolute maximum number of states that this rule can create to 200 Enable source tracking; limit state creation based on states created by this rule only Limit the maximum number of nodes that can simultaneously create state to 100 Limit the maximum number of simultaneous states per source IP to 3 Solution: int0=em0 trusted_tcp_ports={22,25,443,465} pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep state max 200, source-track rule, max-src-nodes 100, max-src-states 3 please help .. Thanks / Regards ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: PF to Preventing SMTP Brute Force Attacks
On 15/06/2012 17:17, Shiv. Nath wrote: Hi FreeBSD Gurus, i want to use PF to Preventing SMTP Brute Force Attacks. i need some help to understand correct syntax. URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopts i expect the following behavior from the PF rule below: Limit the absolute maximum number of states that this rule can create to 200 Enable source tracking; limit state creation based on states created by this rule only Limit the maximum number of nodes that can simultaneously create state to 100 Limit the maximum number of simultaneous states per source IP to 3 Solution: int0=em0 trusted_tcp_ports={22,25,443,465} pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep state max 200, source-track rule, max-src-nodes 100, max-src-states 3 Limiting yourself to 200 states won't protect you very much -- you tend to get a whole series of attacks from the same IP, and that just uses one state at a time. Instead, look at the frequency with which an attacker tries to connect to you. Something like this: table bruteforce persist [...] block in log quick from bruteforce [...] pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) Plus you'll need a cron job like this to clean up the bruteforce table, otherwise it will just grow larger and larger: */12 * * * */sbin/pfctl -t ssh-bruteforce -T expire 604800 /dev/null 21 The end result of this is that if one IP tries to connect to you more than 3 times in 5 minutes, they will get blacklisted. I normally use this just for ssh, so you might want to adjust the parameters appropriately. You should also implement a whitelist for IP ranges you control or use frequently and that will never be used for bruteforce attacks: it is quite easy to block yourself out with these sort of rules. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: PF to Preventing SMTP Brute Force Attacks
Limiting yourself to 200 states won't protect you very much -- you tend to get a whole series of attacks from the same IP, and that just uses one state at a time. Instead, look at the frequency with which an attacker tries to connect to you. Something like this: table bruteforce persist [...] block in log quick from bruteforce [...] pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) Plus you'll need a cron job like this to clean up the bruteforce table, otherwise it will just grow larger and larger: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 /dev/null 21 The end result of this is that if one IP tries to connect to you more than 3 times in 5 minutes, they will get blacklisted. I normally use this just for ssh, so you might want to adjust the parameters appropriately. You should also implement a whitelist for IP ranges you control or use frequently and that will never be used for bruteforce attacks: it is quite easy to block yourself out with these sort of rules. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Dear Mattthew, Grateful for sending me in right direction, solution really sounds well. Does it look good configuration for /etc/pf.conf ? # START table bruteforce persist block in log quick from bruteforce pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) # END AND CRON: */12 * * * */sbin/pfctl -t ssh-bruteforce -T expire 604800 /dev/null 21 What is the function expire 604800 are they entries in the table? should it be -t bruteforce or -t ssh-bruteforce Thanks ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: PF to Preventing SMTP Brute Force Attacks
On Fri, Jun 15, 2012 at 04:17:06PM -, Shiv. Nath wrote: Hi FreeBSD Gurus, i want to use PF to Preventing SMTP Brute Force Attacks. i need some help to understand correct syntax. URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopts i expect the following behavior from the PF rule below: Limit the absolute maximum number of states that this rule can create to 200 Enable source tracking; limit state creation based on states created by this rule only Limit the maximum number of nodes that can simultaneously create state to 100 Limit the maximum number of simultaneous states per source IP to 3 Solution: int0=em0 trusted_tcp_ports={22,25,443,465} pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep state (max 200, source-track rule, max-src-nodes 100, max-src-states 3 ) I don't know if max will work here but this is what I use for a sshd rule. pass in log quick proto tcp from any port 1023 to any port 22 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/15 overload sshmart flush global) You should be using the syntax from pf41 through pf45. The URL you referenced has a syntax that changed in pf46, pf47 onward... -- - (2^(N-1)) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: PF to Preventing SMTP Brute Force Attacks
On 15/06/2012 17:55, Shiv. Nath wrote: Limiting yourself to 200 states won't protect you very much -- you tend to get a whole series of attacks from the same IP, and that just uses one state at a time. Instead, look at the frequency with which an attacker tries to connect to you. Something like this: table bruteforce persist [...] block in log quick from bruteforce [...] pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) Plus you'll need a cron job like this to clean up the bruteforce table, otherwise it will just grow larger and larger: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 /dev/null 21 The end result of this is that if one IP tries to connect to you more than 3 times in 5 minutes, they will get blacklisted. I normally use this just for ssh, so you might want to adjust the parameters appropriately. You should also implement a whitelist for IP ranges you control or use frequently and that will never be used for bruteforce attacks: it is quite easy to block yourself out with these sort of rules. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Dear Mattthew, Grateful for sending me in right direction, solution really sounds well. Does it look good configuration for /etc/pf.conf ? # START table bruteforce persist Watch the syntax -- it's table bruteforce persist with angle brackets. block in log quick from bruteforce pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) Again -- you need angle brackets around the table name. # END AND CRON: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 /dev/null 21 What is the function expire 604800 are they entries in the table? should it be -t bruteforce or -t ssh-bruteforce Ooops. Yes, -t bruteforce is correct. expire 604800 means delete entries after they've been in the table for that number of seconds (ie after one week) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: PF to Preventing SMTP Brute Force Attacks
On Jun 15, 2012, at 12:55 PM, Shiv. Nath wrote: # START table bruteforce persist block in log quick from bruteforce pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) # END AND CRON: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 /dev/null 21 What is the function expire 604800 are they entries in the table? should it be -t bruteforce or -t ssh-bruteforce It refers to entries in the table specified by the -t option and instructs pf to expire (remove from the table) all entries older than the specified time (in seconds). Basically, the value 604800 will expire entries older than 1 week. For the above pf rules, the cron entry should be -t bruteforce (although in the pf rules you should be using bruteforce). Cheers, Paul. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: PF to Preventing SMTP Brute Force Attacks
Dear Mattthew, Grateful for sending me in right direction, solution really sounds well. Does it look good configuration for /etc/pf.conf ? # START table bruteforce persist Watch the syntax -- it's table bruteforce persist with angle brackets. block in log quick from bruteforce pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) Again -- you need angle brackets around the table name. # END AND CRON: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 /dev/null 21 What is the function expire 604800 are they entries in the table? should it be -t bruteforce or -t ssh-bruteforce Ooops. Yes, -t bruteforce is correct. expire 604800 means delete entries after they've been in the table for that number of seconds (ie after one week) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Dear Mattthew, i am very much grateful for your assistance and advice configuring PF correctly. Well done ! Thanks / Regards ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org